ensure string accesses are in bounds

as demonstrated by ooo39541-3.rtf Change-Id: I995f0250e98a68b1b56da877314c9fd24cf46221
2013-11-07 08:48:22 +00:00
parent eacb4a71ec
commit cc79b16a75
1 changed files with 7 additions and 3 deletions
--- a/writerfilter/source/rtftok/rtfdocumentimpl.cxx
+++ b/writerfilter/source/rtftok/rtfdocumentimpl.cxx
@@ -4041,16 +4041,20 @@ int RTFDocumentImpl::popState()
                    }
                }
                aStr = aBuf.makeStringAndClear();
+
                // ignore the first bytes
                if (aStr.getLength() > 8)
                    aStr = aStr.copy(8);
                // extract name
-                int nLength = aStr.toChar();
+                sal_Int32 nLength = aStr.toChar();
                if (!aStr.isEmpty())
                    aStr = aStr.copy(1);
+                nLength = std::min(nLength, aStr.getLength());
                OString aName = aStr.copy(0, nLength);
-                if (!aStr.isEmpty())
+                if (aStr.getLength() > nLength)
                    aStr = aStr.copy(nLength+1); // zero-terminated string
+                else
+                    aStr = OString();
                // extract default text
                nLength = aStr.toChar();
                if (!aStr.isEmpty())
@@ -4059,7 +4063,7 @@ int RTFDocumentImpl::popState()
                m_aFormfieldSprms.set(NS_ooxml::LN_CT_FFData_name, pNValue);
                if (nLength > 0)
                {
-                    OString aDefaultText = aStr.copy(0, nLength);
+                    OString aDefaultText = aStr.copy(0, std::min(nLength, aStr.getLength()));
                    RTFValue::Pointer_t pDValue(new RTFValue(OStringToOUString(aDefaultText, aState.nCurrentEncoding)));
                    m_aFormfieldSprms.set(NS_ooxml::LN_CT_FFTextInput_default, pDValue);
                }